The blame game is a tricky effort these days. Maybe its part of the problem, not the solution. Both arguments are flawed. And both are based on faulty zero-sum game theories, despite decades of economic data that prove otherwise.

I cringed at many of the comments made across this year’s political theater. It seemed every other “base rallying cry” was directed at either evil immigrants or evil billionaires being called out as being at the core of today’s problems. They’re taking our money or jobs, etc.

In short. I think both camps are dead wrong. Those demonizing these two groups are exposing deep emotions that run in the opposite direction to what they should be, especially given our challenges today. They are not leaders. They may be the source of the evil. I decided to compile a list of the two pillars of my thought process.

Feel free to change my mind. I think it’s still open.

Immigrants as the embodiment of evil

Even a cursory look at the companies, solutions, processes and enablers of this new age in America (and globally) is filled with the biographies of brilliant, risk-taking, hardworking immigrants who saw a need and filled it. Across tech, business, health, supply chain and food supply our recent history is intertwined with the hopes and sacrifices of immigrants at pretty much every level.

My grandfather, for example, was a farmer and janitor and died in his early 60s working in construction. They spoke Norwegian in the household my dad grew up in. My father insisted that I pick berries and work as a janitor (two-plus years at a fast food joint) before college so that I would respect/understand the sacrifices my grandfather made to put food on my father’s table- and everyone else who entered America under the first statue, the one of necessity.

I got the lesson for the most part, but also understand that we have to manage our borders, the distribution of services, etc. Don’t blame immigrants for public policy mismanagement. Don’t blame them for their willingness to study, work, invest and start a business to forge a better life. Instead, thank them.

Ask yourself a simple question: If all of the immigrants were removed from the USA of the last five decades, would our problems be gone… or might they actually be worse? I think we all know the answer.

Can we move on?

Note: I’ve been in Silicon Valley for the last 20+ years, the engine house for America’s exceptionalism, and there was not a single company that didn’t have someone whose heritage ultimately tracked back to every continent except this one and Antarctica. I just interviewed the CEOs of two startups, one of which has already been acquired to address cloud security issues and the other a play in high performance WAN monitoring. The leadership team and founders… are all immigrants.

Billionaires as the embodiment of evil

You don’t have to look too deeply into the spread of COVID19 to see a pattern. Those whose lifestyles are digital have been spared from the level of exposure of those who aren’t, from work, to leisure and education. And those who have digital careers on average make far more money than those in traditional industries. Digital companies are often far more valuable than traditional companies because of network effects and scale, which are powerful productivity enablers.

If you trace back the key innovators and risk takers who enabled the digital leap, they’re for the most part millionaires and billionaires. The source of their wealth is equity in game-changing companies that offer services most people want, NOT due to stealing money from the public.

These software, services and product companies are multiples more efficient than most of the carbon paper and fax machine bureaucracies of the virtually bankrupt public sector at almost every level.

Are billionaires the reason that a fed relief check takes 30 days and an Amazon electronic refund mere hours? Are they to blame for the funds required ($700k+) to build a single apartment for a homeless person in the San Jose area or the growing gap between revenue intake and service quality in the public sector, well beyond the NYC fax machines accepting unemployment applications?

Maybe, instead, we need more big innovations across the public and private sector. Note: I know places in the public sector that are innovating, taking bold steps to enhance service delivery and reduce costs etc but they are few and far between.

In fact, most billionaire companies are tied to innovations that have kept America exceptional. Yet we demonize them because they don’t sell their companies and “donate” the proceeds to various virtually bankrupt agencies, many of whom haven’t innovated basic operating practices for decades. Anyone familiar with the term “dumb money?”

The Foundation Phenomena / Paradox

Why do billionaires create foundations to address problems (where they can hire and fire and innovate as needed, versus turn it all over to x), where in most cases there is a pre-existing bureaucracy that has been in operations for decades attempting to do the same thing? For starters, most of them have playbooks written before mainframe computing was widely distributed in the form of servers and PCs. Some have warehouses filled with inoperable supplies.

I ask the same question I asked regarding immigrants:If we removed every billionaire from the USA would all of our problems be eliminated… or would they be worse? If we seized their assets in highly productive organizations and handed them over to the public sector would anyone notice any changes over the first five years?

Would they be good ones? Would poverty be erased? I don’t think so. Instead I think those blaming immigrants and billionaires would be looking for a new list of suspects to blame. Most of the “blame gamers” have not driven improvements in society, only stepped up to point them out as a political stepping stone to notoriety.

I agree with Marc Andreessen’s essay on Silicon Valley losing its focus on basic social needs. We’ve just passed through a series of innovations and missteps as usual. And disruption creates unequal payoffs, especially early in the cycle. But the fact that he focused on the Valley as a solution (and a big part of the problem) to the way forward while chiding mayors, governments and aspiring politicians to step up… is a telltale sign. Is it worth the effort? See his spot-on comment:

Demonstrate that the public sector can build better hospitals, better schools, better transportation, better cities, better housing. Stop trying to protect the old, the entrenched, the irrelevant; commit the public sector fully to the future.

Got a fax machine and carbon paper? Maybe you too are cut out for leadership….

The way forward is innovation… not the seizure of billionaire assets and their conversion into larger stacks of carbon paper, file cabinets and fax machines. Or sending immigrants back home to build their former home countries. It’s to cultivate greatness here in the still exceptional USofA.

Eerie discoveries in thin substance research fuel speculation about what comes after silicon and oil.

Is free energy around the corner?

[Updated March 13, 2020] Last year a highly respected technologist (and friend) told me “free energy” was the most interesting and likely innovation on the horizon. When my eyebrows raised he continued, “Oh yeah, it’s real close.”

Since exploring the possibility of thin matter (graphene) and free energy in Antioch for several years now, I shouldn’t have been surprised. Frankly, I was quite surprised. He wasn’t talking, of course, about the instant global adoption of free energy, but rather the prospects of someone figuring it out… in the near future.

It’s a great angle, of course, for a dystopian novel with a social media war between two secretly united “opposing” groups struggling to keep the public distracted from the power of bold innovation. That’s right: two enemies united by a common purpose. Been there, seen that, have a few T-shirts.*

But what if we are getting close? What would it mean? “Passive carbon” energy anyone? Electric cars with unlimited range?

The prospects of free energy were in the crazy bin in 2011 when I started writing novels. (They might still be today-lol.) In Antioch scientists in the mid-to-late 2020s were making some cool discoveries with layered graphene. They accidentally discovered the power of a new generation of advanced materials with eerie properties and a life was lost. So the “free energy” conversation entered the scene a bit closer to reality this time around- almost nine years later.

Things May Have Changed This Week

A few nights ago a friend sent me an email about scientists now predicting new states of matter. This followed another article on atom-scale materials and another on new types of hidden frequencies revealed by a graphene amplifier. [Thank you Stu and Rick!] The implications are powerful. Think materials that generate power passively, on their own, with or without sunlight or other forms of fuel.

Because the strength of the force falls off rapidly with distance, it is measurable only when the distance between the objects is extremely small. On a submicron scale, this force becomes so strong that it becomes the dominant force between uncharged conductors. In fact, at separations of 10 nm – about 100 times the typical size of an atom – the Casimir effect produces the equivalent of about 1 atmosphere of pressure (the precise value depending on surface geometry and other factors).

Quantum Pucks?

Could layered sheets of one atom thick material amplify a Casimir effect and produce energy (the layered graphene “puck” from Antioch that led to the accidental explosion) anywhere they were placed? Could they be the building blocks for a new generation of hyper powerful fuel cells or solar panels that produce massive energy from small cells?

I’m not a physicist and I have the college transcripts to prove it. Numerous experts have told me everything on the electrical and mechanical sides of things has been discovered and there wasn’t any room left for speculation. That makes these eerie properties of thin matter more than interesting IMHO. How many layers of graphene could be stacked in a 3 inch puck?

You may have already read about new approaches for creating graphene at much lower costs (from trash) If thin materials became inexpensive we could see an accelerated pace of change. Recycling that turns garbage into energy cells? That’s pretty interesting.

Perhaps we’re on the cusp of a new thin (quantum) materials age with a broad spectrum of new potentials for massive leaps forward. Recent headlines point in that direction.

The Agrippa quandary is the trade-off between the discovery of free energy (from “zenin” or layered graphene) and the destruction it would wreak across dozens of industries; and the lengths a global entrenched status quo would go to slow it down or perhaps ultimately own it.

Eerie New Alliances

There would be plenty of unintended consequences from a radical shift from carbon combustion to “passive carbon” energy. Lots of sponsored research arguing “x” vs “y” impacts and who would benefit.

A new generation of potential billionaires would battle with an older generation, etc. Crumbling bureaucracies would battle with new carbon coalitions working on climate solutions. Extremists on the Left and Right could easily join together in a pragmatic defense… of the tainted status quo.

The powerful carbon trifecta program discussed years ago at Future In Review could become a reality and reduce the carbon footprint on a global scale. [Note: See Everett Rogers Diffusion of Innovation, for how people typically react to new technologies. Then make it an exponential reaction.] That’s huge.

Graphene Valley?

Recent breakthroughs in graphene and other thin materials are making a new range of outcomes more possible, perhaps on a far greater scale than silicon… and in an even shorter time frame. Will there be a Graphene Valley or would abundant energy accelerate the diffusion of innovation?

I’m old enough to remember the fission/fusion hype cycles that quickly swept from headlines into cinema and then the dust bin. Yet I’m convinced this coming revolution could be much different. It could be a deep, fundamental shift, well beyond just battery storage and greater electric car range.

Reflecting on the global disruption of silicon (and social media) I couldn’t help but to speculate on what something even more disruptive could do to the already uneven playing field between zip codes, public bureaucracies trapped in decades’ old operating models and new generations of entrepreneurs changing the world on even larger scales.

You can call these new materials atom-scale or… quantum materials, for their strange new properties. It doesn’t matter. Either way, it’s pretty clear we’re likely on the cusp of a new age and many of us are going to feel quite provincial as research continues discover something much more powerful than silicon. Even those of us in Silicon Valley are likely in for some surprises.

What do you think? Feel free to weigh in here or on social media. You know who you are. We’ve been having these discussions for years. Tell me I’m wrong once again.

If you are aware of research which proves or disproves any of this feel free to share in comments or, even better, at the Sword of Agrippa Facebook page (see below), which is much more active. I’ll add some of the best links, etc into this post over time.

I agree, as you suggest, that major disruptions are coming – and they will not only be exponential, but super-exponential. And this will call for anticipatory scenarios development, interventions, innovations, and most importantly, imagination. All of which leads to a need for a broader development of futures consciousness, which is what After Shock is all about. We can’t afford to be “future deniers”! After Shock speaks to taking our future head on, to shape it as opposed to be shaped by it. We do live in exciting times!

===============

A friend also shared this article on Tesla and some mystery surrounding a particle beam weapon and some potentially missing files. Check out graphene and Perovskite grapes for solar efficiency.

Note: I don’t blog very often about my science fiction writing. It has been my “mental golf” for many years now. After reading an interview with Guy Kawasaki encouraging marketeers to do something wildly different, I started the quest in 2011. I’ve met some incredible people from around the world with similar experiences, passions/interests and managed to use my writing as a kind of weekend meditation retreat. Thank you to all of you who have encouraged me along the way. It means a great deal to me. Feel free to join us at the Agrippa Facebook page.

*WHILE SUPPLIES LAST: I have a few leftover Sword of Agrippa T-shirts with the old cover and my obsolete pen name. Contact me if you want one. I’m very easy to reach via LinkedIn and the Agrippa Facebook page.

The Capital One breach last year was significant on multiple fronts. A trusted financial services brand on a leading public cloud environment was easily breached, to the tune of 10M records compromised. I discovered Cloudneeti in January after I heard about their ability to enable DevSecOps operating models. I asked CEO and cloud veteran Gururaj Pandurangi for his thoughts on the breach:

Q) Last year’s Capital One breach exposed a massive trove of sensitive data. How could one of the world’s most trusted financial service companies operating on one of the most secure cloud infrastructures get breached to such an extent?

[Gururaj] The Capital One breach was a combination of missteps. The most significant factor was an experienced former AWS employee who knew how to abuse different misconfigurations. There were additionally some minor IaaS issues, and I’ve heard that the provider has promised to fix them. Part of this is also a cultural issue of using traditional on premises processes for the cloud and generally how tradeoffs between the need for speed and complex security/compliance policies is resolved. It should be noted that every company will face a combination of these conditions and threats in some shape or form. Misconfigurations combined with insider threats are clearly the biggest risk. The lesson from these types of breaches is that enforcement, similarly, needs to evolve.

Q) Why are cloud security and compliance postures so difficult to maintain, given the massive investments IaaS leaders have made in security?

[Gururaj] The cloud is allowing dev teams to accelerate their development cycles beyond anything possible for most traditional on premises environments. Changes can be made faster than ever. New apps, new business units, increasing frequency of releases and new cloud features have all contributed to an increase in the pace of change. And the policies and frameworks themselves have hundreds if not thousands of configuration requirements. So higher rates of change, the very nature of cloud workloads that are easily exposed to the Internet combined with complex requirements, have substantially increased risk, even for companies investing heavily in best practices. We’ve done scans of many considered to be well-run environments and the compliance scores came out much lower than what was expected by the customer.

Q) What kinds of tools do cyber criminals use to exploit configuration errors and how commonplace are they? What levels of skills do they require?

[Gururaj] Today cyber criminals need to become cloud experts. And the increasing pace of change also makes many of their traditional tools obsolete. The cloud providers have made significant investments in OS and network enhancements, which have closed some of the frequently used entry points. The good news is that the evolution of IaaS and PaaS, serverless, databases in the cloud are forcing cyber criminals to evolve, since their old tools aren’t as effective against these new environments.

Even more important is the emergence of new SaaS tools that help protect these more dynamic environments. For example, an entire new class of cloud security posture management (CSPM) solutions has emerged to automate security and compliance assurance. Some are built for traditional SOC environments to quickly discover misconfigurations and others, like Cloudneeti, for DevSecOps models to prevent misconfigurations from ever happening. Dev and security teams can operate at almost the same fast pace today, without the conflicts and tradeoffs required with traditional manual processes.

Thank you Gururaj!

You can sign up for a 30-day free trial on Azure Marketplace. You can discover in minutes how well your cloud environment scores against more than a 1,500 security polices and 13 compliance frameworks.

Is your company addressing the growing gaps between digitalized, dynamic infrastructures (cloud, SDN, SD-WAN, etc.) and outdated cultures and tools? Contact me and I may ask your CEO three questions.

SD-WAN deployment has accelerated in recent years as organizations extend SDN benefits across wide area networks. It’s a pretty transformative process, producing new management and cost benefits along with new user experience and performance demands.

A few weeks ago I discovered NetBeez, a network monitoring company with a unique, proactive, user-centric approach to monitoring these more dynamic networks. Their hardware and software sensors are deployed at the edge, including before SD-WAN deployment, to assess MPLS vs internet tradeoffs, from a user’s perspective.

A recent SDX exchange on the future of SD-WAN late last year prompted me to ask Stefano Gridelli, founder and CEO of NetBeez, three questions about SD-WAN monitoring. His perspective has been shaped out of network engineering roles in health care, which inspired him and his team of founders to introduce a better way to monitor SDNs and SD-WANS.

If anything, industry speculation at the end of 2019 about the “cloudy” future of SD-WAN brings new questions about gaps between new forms of dynamic network infrastructure, existing tools and practices and the evolution of careers in networking:

Q) Why is SD-WAN different when it comes to monitoring?

[Stefano] SD-WAN is a game changer in terms of network management. Benefits of SD-WAN include ease of configuration and operation, cost reduction from the use of Direct Internet Access (DIA) mixed with traditional transport technologies (e.g. MPLS), and centralized management.

In terms of monitoring, most SD-WAN solutions have network and application visibility tools that provide statistics about top users and top applications. These statistics are collected by analyzing traffic traversing the SD-WAN router’s interfaces. The problem with this “passive monitoring” approach is that it doesn’t really build a network and application performance baseline (no user traffic, no data), and also reduced proactiveness on performance issues.

Another challenge of monitoring SD-WAN installation is that it makes use of tunneling, split tunneling, and virtualization. Since user traffic is dynamically routed, sometimes on a per-packet basis, across multiple lines, it is more difficult to pinpoint the root cause of performance issues. With split tunneling, users may use the Internet connection to browse public or SaS applications, reducing visibility into the end-user experience from the centralized NOC.

Q) Do you think SD-WAN will be commoditized by the cloud or become more strategic?

[Stefano]I don’t believe public clouds will completely replace private data centers. There is no doubt more companies today are running a fraction of their compute workloads in AWS, Azure, or Google Cloud. Yet, I don’t see the future being run 100% on public clouds. I believe the hybrid multi-cloud model is the future. For that reason, I see SD-WAN supporting hybrid multi-clouds, and we will see cross pollination between networking vendors and public cloud providers. We’ll also see more startups in this space than before, thanks to the decoupling of hardware and software, and software companies like VMware, which has been mostly playing in the virtualization market, tapping this opportunity. To conclude, I still believe SD-WAN will become more strategic, so I differ with others.

Q) How will SD-WAN change how networks are managed?

[Stefano]SD-WAN simplifies WAN configuration and management. In traditional WANs, configuration and troubleshooting was mostly done via a command line interface, one device at the time. SD-WAN equipment are centrally managed from a web interface, and applying consistent network and security policies is much easier. This advancement requires less skilled network engineers to operate SD-WANs, and I am sure that the larger the network, the higher the savings. AT&T for example is planning to cut over $1.5B in labor costs in the next few years.

Will network engineers be the casualty of software-defined networks, similar to what happened to switchboard operators last century? Network engineers are here to stay, at least for a while, but their job descriptions will change. Their roles will evolve into NetOps, and it will require a basic knowledge of the Linux operating system, of the Python programming language, and of APIs in general.

Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

==================

A friend just sent me a link to a blog predicting yet another CSO/CISO year of living dangerously. It’s a safe prediction. Since the spring of 2017 (or perhaps sooner) every year has become more precarious than the previous.

With thousands of security companies and billions in public vendor market caps offering protection, we still worry. We’re more exposed than any time in cyber history. You could say we’re dumbfounded.

The exposure problem is easy to comprehend, with just three key drivers:

Escalating complexity;

Escalating scale; and

Channel/architecture/message fatigue.

Escalating Complexity

From the original network, now partially virtualized (and partially frozen in time), to the rise of the cloud and various hybrid operating models, CSOs are trapped in unprecedented layers and levels of complexity. “Divide and conquer”, the maxim of Napoleonic battle strategy, has been flipped on its head as infrastructure has become fragmented beyond recognition, and rendered ripe for the picking by bad actors with even primitive hacking tools. Billions in security vendor market caps cannot fix this. Can any organization address this without breaking up with the network security / infrastructure cartels who themselves are trapped in monetizing complexity to the detriment of their customers’ careers?

Escalating Scale

As if complexity weren’t enough, thanks to the digital transformation traditional IT networks are now converging with OT networks, adding billions of insecure devices to the internet, creating new attack vectors which are much harder to protect from exploitation. We learned this in 2017 when NotPetya and WannaCry ravaged hundreds of global entities already investing heavily in cyber protection. The IIoT evolution represents a fundamental shift in scale and complexity. And the cartels will help you “discover” your problems so they can extend the complexity addiction deeper into your organization. More vulnerabilities, more jobs, more gear needed.

Stack Fatigue

Today’s network security cartels (and their wildly successful channel partners) that evolved to create today’s infrastructure served an invaluable purpose. They brought us from mainframes to deep, computerized connectivity in a matter of a few decades. They also engineered their own obsolescence. Unprecedented scale and complexity have broken their fundamental architectures, rendering them incapable, despite billions in market valuations, in providing fundamental protection, from edge to cloud. I’ve introduced this topic via panel to the next Future in Review.

These three drivers combine to force an ongoing churn of shifting, enigmatic choices and paradoxes that will start upending balance sheets tomorrow as they upend careers today.

Today’s Architectures are Very Profitable and Obsolete

For the established security vendors it’s deeper than a messaging problem, it’s a fundamental architecture problem that leads to a messaging problem. In short, how can these leaders white paper and webinar their way out of today’s deep, destructive architectural paradox? Maybe hire a leading analyst and have him/her perform a card trick that mesmerizes CSOs for another buying cycle?

I cannot help but think of the highly profitable 1950s tobacco companies advertising the health benefits of tobacco. Today’s security vendors, in effect, could be accused of doing the same thing today, monetizing CSO career dead ends with the mantra “All you need is complexity and more and more trained security pros.” That won’t last.

Hence my prediction: Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

The cloud needs the edge and the edge needs the cloud…

While pundits debate the edge versus the cloud (flashback reminder: the hybrid cloud debate of 2013) there will be a growing realization that the edge needs the cloud and the cloud needs the edge and both need a new vision of security and connectivity. The multi-billion cartel of today is out of sleight of hand card tricks… and a new infrastructure is needed.

Since the early days of TCP/IP, connectivity has created waves of multi-billion-dollar markets, seemingly out of thin air. All of the successes have had one thing in common: they created unprecedented network effects.

The 1990s ushered in the power of network effects. New levels of connectivity and scale allowed consumers then enterprises to deliver content and services virtually. The consumer web blended with the enterprise web, supply chains and so on.

The TCP/IP stack (developed almost fifty years ago) underneath this connectivity was promiscuous by design, almost to a fault. From communications to commerce we saw a radical reduction in friction and fortunes shift from manufacturers and services to connectors.

[Note: The “radical reduction in friction” link is to Bill Janeway’s amazing 2016 Future in Review keynote (start at 7 minutes in) on Flows. This is a must see for anyone interested in tech and economics.]

Network Effects are More Powerful than TCP/IP Inventors Could Imagine

Network effects have become more powerful than anything envisioned by the creators of the TCP/IP stack. Wave after wave of devices and functions, from supercomputers and dumb terminals to today’s industrial internet of things (IIoT) have been connected. And the connection process is still underway. The results are profound on almost unimaginable scales.

We’re still underestimating the power of network effects, this time to our detriment.

Let me first take you through some examples of the power and transformation underway in this new IIoT networking era. A commercial real estate developer can almost immediately increase the value of a portfolio of buildings by connecting their environmental controls to the cloud so that heating, cooling, etc. can be managed much more efficiently and at scale. Similar network effects play out in manufacturing, health care and even maritime, from smart factories and hospitals to advanced ships at sea.

Air Gaps Protected Sensors and Controls from Cyber Mayhem

Vast transformations taking place at the edge as it connects and interacts with the cloud are changing the fundamental chemistry of the internet from the standpoint of remote control of physical infrastructure. In effect, we’re creating “programmable perimeters” of sensors, controls and devices once built and installed exclusively for local/onsite control.

This massive leap from onsite to remote control crosses the air gap, the previous defense mechanism protecting the physical control of a facility from cyber mayhem. Because they were previously air gapped, very few of the billions of IIoT devices deployed had either cyber security designed in or even allowed for security updates (commonly known as patches).

Billions of industrial controls are already connected to the network, to the internet. And hundreds of millions are insecure and may never be patched. This level of susceptibility of facilities and data, makes the preconditions to the creation of the firewall industry in the 1990s trivial by any measure. And that is the core challenge of our digital generation IMHO.

The Firewall Chasm is… IIoT

While nations fret about “unskilled” workers at their borders ( a hint back to that Janeway address you probably passed over because the internet has shrank your attention span) the bigger problem is “skilled” workers easily traversing networks and nations.

We Need a New Firewall Vision based on the Concept of an Air Gap: We Need an Airwall

The firewall was created in parallel with the rise of network security. First came the network, then came network security. Now we have an internet enabling remote control of our physical places/spaces… an Internet of Places. We need secure networking, in the form of an Airwall, an air gap firewall built specifically for the secure networking demands of the digital age.

What are those demands? Think Purdue Model cybersecurity based on IIoT (versus IT) cybersecurity requirements. We need to shift our thinking from the “next-generation” UTM-think (“defense in depth” kluge of layers and logs and skills shortages) to a fundamentally new approach to secure networking for IIoT. Otherwise this new digital age is a nightmare.

The growing attack surface of the new industry 4.0 internet is a big problem. On this everyone agrees. But underneath the headlines and the frequent “patch now” warnings from firewall vendors is a more ominous reality few are talking about: the exponential vector problem.

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable. An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time. – Archimedius

Based on France’s experience with trench warfare during World War I, the massive Maginot Line was built in the run-up to World War II… French military experts extolled the Line as a work of genius… The line has since become a metaphor for expensive efforts that offer a false sense of security.”– Wikipedia

The Maginot Line was built based on the assumption that the next French war would be fought based on the technology of the last one. When the Germans quickly and easily conquered France, they did it by simply going around it.

Most firewalls deployed today were architected in the 1990s…. when there was only one way into a network. Today there are trillions of attack vectors and growing.

Old Architectures versus New Realities

Deploy a firewall in front of each device? That would bankrupt most organizations. That is, if they could find enough skilled security pros to manage them. The new digital era problem: how old architectures address new realities. It’s complicated… and expensive… just like the Maginot Line.

A few weeks ago this came up on an episode of theCUBE, recorded after Gabe Lowy published his thought-provoking paper: Securing Critical Infrastructure Against Cyberattack. I mentioned how “we don’t even have the semblance of a Maginot Line when it comes to IIoT infrastructures. And these infrastructures offer access to critical systems in factories, hospitals, cruise ships and even power and water stations.

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable. An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time.

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday. – Ars Technica

Deep Asset Risk

It’s no longer just about data ex-filtration but instead also the specter of the loss of physical control. Thanks to the overwhelming business advantage of digitalization many organizations are creating massive, porous attack surfaces of insecure devices responsible for controlling physical infrastructure, from water, HVAC and power to medical, manufacturing and even maritime structures.

What Could Go Wrong?

The digital paradox is the inherent conflict between business advantage and deep asset exposure to bad actor control. And we’ve already seen the opening moves in the new hacker game. The lines between networks, nations and organizations are getting blurred by vanishing air gaps that once protected these devices from unseemly remote actors.

Unintended Consequences

Let’s face it, we’re emerging from the perfect Sorites Paradox scenario, where a heap of sand (the growing business value of interconnectivity) is eroded just one grain at a time by malware or remote bad actor control. Today, as billions of insecure devices connect, there is a growing, critical mass of exposure where many more grains can exit at a time.

I discussed this in more detail with Gabe Lowy, Tempered’s Bryan Skene and SiliconANGLE’s John Furrier a few weeks ago on theCUBE. You can read more about it as well at A Clear and Present Danger.

For example, attacks against critical infrastructure in Ukraine in 2017 (WannaCry and NotPetya) inadvertently spread globally and shut down hospitals, ships at sea and even distribution centers. They were among the most devastating and unintended cyber attacks of all time. OOPs.

These attacks aimed at Ukraine accidentally cut globally like a hot knife through warm butter, from network to network, nation to nation, seeping into the critical systems of some of the most well-defended companies. Read excellent coverage of NotPetya in Wired.

IT isn’t ready for IIoT

The firewall vendors warn you to patch and segment, segment, segment. How many skilled security experts will it take to protect you? How many lines of code? How many ACLs? The answer: you’ll never have enough resources. See this 102 second explanation from former Wall Street infrastructure analyst Gabe Lowy on the futility of the firewall in the age of IIoT:

“So if you’re an organization moving IIOT data from your OT systems across your network into IP analytics systems or software, that’s lateral movement. Your firewall- traditional firewall, just not going to be able to handle that and protect against it…”

From Geeks and Greeks to Rolling Stones

That brings us to another insight from the ancient Greeks: the myth of Sisyphus. The firewall and segmentation problem is, at its core, a scale and resilience/availability challenge exacerbated by the direct link between skills shortages and human error in the security chain. Every step up the mountain, a step back. All the while the attack surface grows and the attack vectors proliferate.

What could go wrong?

A recent theCUBE panel on IIoT and cyber war concluded that the bad guys were already in your network. They are being held back by the threat of attacks against their own soft underbellies. But what about private players who are primarily playing defense and have no offensive countermeasures?

The digital enterprise merely connecting IIoT devices to the internet? Do they launch attacks against bad actors or do they just pay ransom? Today I suspect they’re simply paying up or suffering the losses. Maybe they’ll take out cyber attack insurance.

The ancient Greeks took exception to rolling stones uphill. It was a notable curse.

Think you can hire and spend your way to the top with your existing security stack? Get Gabe’s paper here.

The IIoT problem no one has been talking about, despite high profile attacks:

“The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.” – Archimedius blog

Had a chance to talk about the problem with John Furrier, Bryan Skene and Gabe Lowy, the author of the recently published paper “Securing Critical Infrastructure against Cyberattack” on SiliconANGLE theCUBE this week: watch the panel on YouTube

If you’re not concerned about the security risks of digitalization then you’re not paying attention. “The level of scale, porosity and risk is unprecedented…”

Right after we celebrate the birthdays of two of the most destructive cyber attacks ever launched (WannaCry and NotPetya) a disturbing VxWorks advisory is issued for billions of IoT devices, and perhaps millions of them are unpatchable. There is a simple, fundamental equation that no one seems to grasp when it comes to IT skills, resources and capabilities: IT<IIoT

It’s clear the digital era we’re being pulled into is creating a massive attack surface; and there are not enough people, training courses and/or funds to deploy another layer of traditional firewalls, access control and segmentation solutions fast enough to keep up. And the security and networking cartels would rather sell you more of the same (see below):

This stack is DOA for IIoT. It’s too cumbersome, complex, expensive for the digital era we’re entering (of billions of connected devices, many of which are easy targets to get inside a network). And, even worse, none of these solutions were architected for the demands of IIoT. An upcoming paper by unencumbered network infrastructure analyst Gabe Lowy spells out the critical shortcomings of the current network security stack:

Traditional firewall and VPN solutions were not architected for Industrial Internet of Things (IIoT) initiatives. They were designed to protect against earlier generations of malware. As such, they are no match for the IIoT threat environment.

His five requirements (availability/resilience; scale; visibility; management; and security) will certainly stir the pot with the traditional network stack vendors. I’ll share a link to the paper in August when it’s published.

It is readily apparent the network security stack has arrived at the same place it was in the 1990’s, with the advent of the firewall in response to primitive worms and viruses attacking small pockets of connected networks (what we called the information superhighway). Yet that highway was nothing compared to today’s emergent digital era.

What the New Equation Means in Terms of Risk: “We’re not in Kansas Anymore”

What’s at risk beyond the new ability to compromise physical spaces, from lighting, to water, employee/customer access, patient care and diagnosis, production lines and transportation? The basic tenants of the digital era… or some could say the tenets of western civilization itself. Hyperbole, you say? Well, read this sobering report​ on the prospects for cyber war based on Richard Clarke’s new book (The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats) and how this new reality levels the playing field between the “superpowers” and the isolated upstarts once solely obsessed with nuclear weapons:

In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyberwar offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace.

– Fast Company Editors reviewing Richard Clarke and Robert Knake’s The Fifth Domain

A new approach is needed. But first we have to realize that IT<IIoT.

The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.